Looking for a web-based php/js shell, to execute SSH commands on a Windows Server 2019

I’m looking for a web-based shell that can be installed to my rented Windows vServer 2019.

The shell should be some sort of php Shell, that takes instructions via Web Browser from anywhere in the world.
It should be installed / executed via Webserver (doesn’t matter which one; Apache via xampp / IIS)

My problem is: I’d like to execute simple batch commands on that windows server and receive the output accordingly, but my Internet access is pretty well filtered (all traffic is being routed through an SSL scanning proxy) so I’m not able to connect to the machine simply via SSH or whatever, that’s why I’m looking for such web-based shell.

Of course I know this is bad practice, but it’s probably my only solution

Is there any shell around, that can do just that?

Thx a lot!

networking – Options to forward vm to internet via ssh tunnel

Want to give vm in qemu/kvm internet access but only via a port i can forward to ssh tunnel.

qemu -> host (already established) ssh tunnel on port 8083 -> ssh proxy -> www

ports for browsers and services can be forwarded, how to forward vm? I can forward browser traffic thru tunnel on port 8083 to ssh server on port 22 then out to the internet. Instead of forwarding browser traffic want to forward qemu traffic.

  1. Dont want to use system wide vpn
  2. Is creating a bridge the correct solution
  3. Are iptables on qemu host/vm the correct solution
  4. setup a ssh tunnel : vm -> host -> ssh proxy server -> www

linux – PasswordLess SSH – Server Fault

We have establish a Passwordless SSH connection between Windows Machine and Linux.

For this we have copied public key in .ssh/authorized_key in linux machine.

SSH connection was working fine and we were using “userA” for SSH.

But when password of “userA” got expired SSH connection stopped working.

As we were using keys not password why SSH connection stopped working?

iptables – libvirt with qemu/kvm guest, guest can ssh to host and vice versa, but failed to samba or ftp to host

I am running libvirt/qemu-kvm on Fedora32, guest OS is CentOS7.

I use ‘nat’ mode virtual networking.

root@fedora ~)# virsh net-dumpxml default
<network connections='1'>
  <name>default</name>
  <uuid>36ca4070-160a-47bf-b35e-aa7bee028ec1</uuid>
  <forward mode='nat'>
    <nat>
      <port start='1024' end='65535'/>
    </nat>
  </forward>
  <bridge name='virbr0' stp='on' delay='0'/>
  <mac address='52:54:00:e1:1e:c3'/>
  <ip address='192.168.122.1' netmask='255.255.255.0'>
    <dhcp>
      <range start='192.168.122.2' end='192.168.122.254'/>
    </dhcp>
  </ip>
</network>

On host I can ssh to guest by its ip (192.168.122.230).

On guest, I can access internet, also can ssh to my host,
but failed to access samba and ftp on my host.

For example, I type ‘smbclient -L ‘192.168.122.1’‘ on guest,
host ‘tcpdump -i vnet0‘ shows:

10:03:00.267931 IP 192.168.122.230.57754 > 192.168.122.1.microsoft-ds: Flags (S), seq 1417555984, win 29200, options (mss 1460,sackOK,TS val 4294755489 ecr 0,nop,wscale 7), length 0
10:03:00.267977 IP 192.168.122.1 > 192.168.122.230: ICMP 192.168.122.1 tcp port microsoft-ds unreachable, length 68
10:03:00.273271 IP 192.168.122.230.39152 > 192.168.122.1.netbios-ssn: Flags (S), seq 2454440184, win 29200, options (mss 1460,sackOK,TS val 4294755494 ecr 0,nop,wscale 7), length 0
10:03:00.273290 IP 192.168.122.1 > 192.168.122.230: ICMP 192.168.122.1 tcp port netbios-ssn unreachable, length 68

And ‘smbclient’ eventually reports ‘* do_connect: Connection to 192.168.122.1 failed (Error NT_STATUS_CONNECTION_REFUSED)*’.

In case of ‘ftp’, it is similar to ‘samba’.

0:06:11.030486 IP 192.168.122.230.44748 > 192.168.122.1.ftp: Flags (S), seq 4205484033, win 29200, options (mss 1460,sackOK,TS val 4294946254 ecr 0,nop,wscale 7), length 0
10:06:11.030539 IP 192.168.122.1 > 192.168.122.230: ICMP 192.168.122.1 tcp port ftp unreachable, length 68

I am sure on guest, firewall is turned off, and I can samba to host from other machine in lan.

I checked host ‘iptables -L -nv ‘ and ‘iptables -L -nv -t nat’, no packet got ‘REJECT’ed or ‘DROP’ed.

They look like this:

# iptables -L -nv 
Chain INPUT (policy ACCEPT 56760 packets, 31M bytes)
 pkts bytes target     prot opt in     out     source               destination         
68394   45M LIBVIRT_INP  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
19326   23M LIBVIRT_FWX  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
19326   23M LIBVIRT_FWI  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
 9344 1092K LIBVIRT_FWO  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT 19706 packets, 2824K bytes)
 pkts bytes target     prot opt in     out     source               destination         
28243 3880K LIBVIRT_OUT  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain LIBVIRT_FWI (1 references)
 pkts bytes target     prot opt in     out     source               destination         
 9982   22M ACCEPT     all  --  *      virbr0  0.0.0.0/0            192.168.122.0/24     ctstate RELATED,ESTABLISHED
    0     0 REJECT     all  --  *      virbr0  0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable

Chain LIBVIRT_FWO (1 references)
 pkts bytes target     prot opt in     out     source               destination         
 9344 1092K ACCEPT     all  --  virbr0 *       192.168.122.0/24     0.0.0.0/0           
    0     0 REJECT     all  --  virbr0 *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable

Chain LIBVIRT_FWX (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  virbr0 virbr0  0.0.0.0/0            0.0.0.0/0           

Chain LIBVIRT_INP (1 references)
 pkts bytes target     prot opt in     out     source               destination         
  102  6959 ACCEPT     udp  --  virbr0 *       0.0.0.0/0            0.0.0.0/0            udp dpt:53
    0     0 ACCEPT     tcp  --  virbr0 *       0.0.0.0/0            0.0.0.0/0            tcp dpt:53
    9  3028 ACCEPT     udp  --  virbr0 *       0.0.0.0/0            0.0.0.0/0            udp dpt:67
    0     0 ACCEPT     tcp  --  virbr0 *       0.0.0.0/0            0.0.0.0/0            tcp dpt:67

Chain LIBVIRT_OUT (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     udp  --  *      virbr0  0.0.0.0/0            0.0.0.0/0            udp dpt:53
    0     0 ACCEPT     tcp  --  *      virbr0  0.0.0.0/0            0.0.0.0/0            tcp dpt:53
    9  3004 ACCEPT     udp  --  *      virbr0  0.0.0.0/0            0.0.0.0/0            udp dpt:68
    0     0 ACCEPT     tcp  --  *      virbr0  0.0.0.0/0            0.0.0.0/0            tcp dpt:68

and

# iptables -L -nv -t nat
Chain PREROUTING (policy ACCEPT 6314 packets, 5976K bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain INPUT (policy ACCEPT 4463 packets, 5827K bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 546 packets, 73524 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain POSTROUTING (policy ACCEPT 526 packets, 69524 bytes)
 pkts bytes target     prot opt in     out     source               destination
 1910  218K LIBVIRT_PRT  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain LIBVIRT_PRT (1 references)
 pkts bytes target     prot opt in     out     source               destination
   13  1359 RETURN     all  --  *      *       192.168.122.0/24     224.0.0.0/24
    0     0 RETURN     all  --  *      *       192.168.122.0/24     255.255.255.255
   87  4628 MASQUERADE  tcp  --  *      *       192.168.122.0/24    !192.168.122.0/24     masq ports: 1024-65535
  192 19180 MASQUERADE  udp  --  *      *       192.168.122.0/24    !192.168.122.0/24     masq ports: 1024-65535
    0     0 MASQUERADE  all  --  *      *       192.168.122.0/24    !192.168.122.0/24

Am I missing something? What could be the cause?
Thanks.

Can SSH, but NOT SFTP – Ubuntu 18

I have a new Ubuntu 18

I can SSH fine, but I can’t SFTP in

enter image description here

This is my SSH configs

Port 8200                                                                                                                                              
PermitRootLogin no                                                                                                                            
PasswordAuthentication no
ChallengeResponseAuthentication no
UsePAM yes
X11Forwarding yes
PrintMotd no                                                                                                                                            
AcceptEnv LANG LC_*                                                                                                                                    
Subsystem      sftp    /usr/lib/openssh/sftp-server 
MaxAuthTries 100
AllowUsers forge 

I checked logs

tail -f /var/log/auth.log

I see this appended each time it failed

Jun 30 13:27:18 websocket sshd[3353]: Connection closed by 24.62.137.11 port 51216 [preauth]

linux – Bash script to mirror XWindow to remote SSH host

The source code within this question aims to provide a short-cut for mirroring a local XWindow (or session) to a remote host via SSH port forwarding, eg…

x11vnc-push-xwindow --id=none raspberrypi

The ReadMe file contains more detailed instructions for setup, but the TLDR is…

mkdir -vp ~/git/hub/rpi-curious
cd ~/git/hub/rpi-curious

git clone --recurse-submodules git@github.com:rpi-curious/x11vnc-push-xwindow.git
cd x11vnc-push-xwindow
ln -s "${PWD}/x11vnc-push-xwindow" "${HOME}/bin/"
x11vnc-push-xwindow raspberrypi
## Select a XWindow, or use `--id=none` to mirror entire session
# x11vnc-push-xwindow --id=none raspberrypi
q
# Ctrl^c

I wrote this project because it helps my own posture to look up at my remote device’s screen, and currently everything seems to function as intended, but as always there’s room for improvement.

Questions

  • Are there any obvious mistakes?

  • Any features that are both missing and necessary?

  • Is there a better way to fully terminate the connection when q is pressed? Currently this is a two-step process of pressing q then Ctrlc to quit and then terminate the connection.


Source Code

Note, source code for this question is maintained on GitHub at rpi-curious/x11vnc-push-xwindow, what is included here are the scripts and shared functions required to test/review without need of any Git fanciness.

x11vnc-push-xwindow

#!/usr/bin/env bash


## Find true directory script resides in, true name, and true path
__SOURCE__="${BASH_SOURCE(0)}"
while (( -h "${__SOURCE__}" )); do
    __SOURCE__="$(find "${__SOURCE__}" -type l -ls | sed -n 's@^.* -> (.*)@1@p')"
done
__DIR__="$(cd -P "$(dirname "${__SOURCE__}")" && pwd)"
__NAME__="${__SOURCE__##*/}"
__AUTHOR__='S0AndS0'
__DESCRIPTION__='Pushes/mirrors selected XWindow to remote via SSH port forwarding'


## Source module code within this script
source "${__DIR__}/shared_functions/modules/argument-parser/argument-parser.sh"
source "${__DIR__}/shared_functions/modules/trap-failure/failure.sh"


trap 'failure "LINENO" "BASH_LINENO" "${BASH_COMMAND}" "${?}"' ERR


__license__(){
    local _date_year="$(date +'%Y')"
    cat <<EOF
${__DESCRIPTION__}
Copyright (C) ${_date_year:-2020} ${__AUTHOR__:-S0AndS0}

This program is free software: you can redistribute it and/or modify
it under the terms of the GNU Affero General Public License as published
by the Free Software Foundation, version 3 of the License.

This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
GNU Affero General Public License for more details.

You should have received a copy of the GNU Affero General Public License
along with this program.  If not, see <https://www.gnu.org/licenses/>.
EOF
}


usage() {
    local _message="${1}"
    cat <<EOF
${__DESCRIPTION__}


## Augments ${__NAME__%.*} responds to


--help | -h

    Prints this message and exits


--x11vnc-listen-port="${_x11vnc_listen_port}"

    Default '5900', port that x11vnc will serve XWindow session on 'localhost' for this device.

    Note, if listen port is already in use then session will be reused, otherwise a new session will be initialized.


--vnc-viewer-port="${_vnc_viewer_port}"

    Default '5900', port that remote host will connect to on their relative 'localhost' to view forwarded XWindow session.

    Note, if 'xscreensaver' is detected on remote host, then it will be disabled until x11vnc session is terminated


--vnc-viewer-name="${_vnc_viewer_name}"

    Default 'vncviewer', executable name of VNC Viewer.

    Note, if troubles are had when using a VNC Viewer other than 'vncviewer', please try 'vncviewer' before opening a new Issue.


--id="${_id}"

    Default 'pick', XWindow ID to forward to remote host.

    Note, if set to 'none' then entire XWindow session will be forwarded.


${_target_host:-<target-host>}

    Required, remote SSH host that XWindow session will be forwarded to.


## Example


${__NAME__} raspberrypi
EOF

    (( "${#_message}" -gt '0' )) && {
        printf >&2 'n## Error: %sn' "${_message}"
    }
}


## Defaults
_target_host=''
_x11vnc_listen_port='5900'
_vnc_viewer_port='5900'
_id='pick'
_vnc_viewer_name='vncviewer'


## Save passed arguments and acceptable arguments to Bash arrays
_passed_args=("${@:?No arguments provided}")
_acceptable_args=(
    '--help|-h:bool'
    '--x11vnc-listen-port:alpha_numeric'
    '--vnc-viewer-port:alpha_numeric'
    '--id:alpha_numeric'
    '--target-host:path-nil'
)


## Pass arrays by reference/name to the `argument_parser` function
argument_parser '_passed_args' '_acceptable_args'
_exit_status="$?"


## Print documentation for the script and exit, or allow further execution
((_help)) || ((_exit_status)) && {
    usage
    exit "${_exit_status:-0}"
}

(("${#_target_host}")) || {
    usage 'Missing target host parameter'
    exit 1
}


## Note, '-shared' with '-forever' and '-threads' or '-once' may be wanted
##  in addition to the following options
_x11vnc_server_opts=(
    '-quiet'
    '-noshared'
    '-viewonly'
    '-noremote'
    '-nobell'
    '-nosel'
    '-noprimary'
    '-nosetprimary'
    '-noclipboard'
    '-nosetclipboard"https://codereview.stackexchange.com/#"-disablefiletransfer'  ## Un-comment for older versions
    '-cursor' 'most'
    '-noipv6'
    '-allow' '127.0.0.1'
    '-autoport' "${_x11vnc_listen_port}"
    '-listen' '127.0.0.1'
    '-nopw'
    '-nossl'
    '-bg'
)

(( "${_id}" =~ 'none' )) || {
  _x11vnc_server_opts+=(
    '-id' "${_id}"
  )
}


_vnc_viewer_opts=(
    '-viewonly'
    '-fullscreen'
    "localhost::${_vnc_viewer_port}"
)


grep -q -- "${_x11vnc_listen_port}" <<<"$(netstat -plantu 2>/dev/null)" || {
    printf '# Running: x11vnc %sn' "${_x11vnc_server_opts(*)}"
    x11vnc ${_x11vnc_server_opts(@)}
}


initialize_connection() {
    ssh -R localhost:${_vnc_viewer_port}:localhost:${_x11vnc_listen_port} "${_target_host}" <<EOF
    reinitalize_xscreensaver(){
        echo 'Resuming: xscreensaver'
        DISPLAY=:0 xscreensaver -no-splash 2>&1 >/dev/null &
        sleep 3
        DISPLAY=:0 xscreensaver-command -activate
    }


    initalize_viewer(){
        _xscreensaver_time="$(DISPLAY=:0 xscreensaver-command -time 2>&1)"
    (( "${_xscreensaver_time}" =~ 'no screensaver is running' )) || {
            trap 'reinitalize_xscreensaver' RETURN SIGINT SIGTERM EXIT
            echo 'Halting: xscreensaver'
            DISPLAY=:0 xscreensaver-command -deactivate
            DISPLAY=:0 xscreensaver-command -exit
        }

        printf 'Starting: $(which ${_vnc_viewer_name}) %sn' "${_vnc_viewer_opts(*)}"
    DISPLAY=:0 $(which ${_vnc_viewer_name}) ${_vnc_viewer_opts(@)}
        return "${?}"
    }

    initalize_viewer
EOF
}


initialize_connection &
_connection_pid="$!"

printf 'Press %s to quit...n' "q"
while read -n1 -r _input; do
    case "${_input,,}" in
        q)
            printf 'Killing PID %in' "${_connection_pid}"
            kill "${_connection_pid}"
            sleep 2
            printf 'Please use Ctrl^c to exit!'
        ;;
    esac

    sleep 1
done

shared_functions/modules/argument-parser/argument-parser.sh

#!/usr/bin/env bash


# argument-parser.sh, source it in other Bash scripts for argument parsing
# Copyright (C) 2019  S0AndS0
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU Affero General Public License as published
# by the Free Software Foundation; version 3 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU Affero General Public License for more details.
#
# You should have received a copy of the GNU Affero General Public License
# along with this program.  If not, see <https://www.gnu.org/licenses/>.


shopt -s extglob


_TRUE='1'
_DEFAULT_ACCEPTABLE_ARG_LIST=('--help|-h:bool' '--foo|-f:print' '--path:path-nil')


arg_scrubber_alpha_numeric(){ printf '%s' "${@//(^a-z0-9A-Z)/}"; }


arg_scrubber_regex(){ printf '%s' "$(sed 's@.@\.@g' <<<"${@//(^(:print:)$'t'$'n')/}")"; }


arg_scrubber_list(){
    printf '%s' "$(sed 's@..*@.@g; s@--*@-@g' <<<"${@//(^a-z0-9A-Z,+_./@:-)/}")"
}


arg_scrubber_path(){
    printf '%s' "$(sed 's@..*@.@g; s@--*@-@g' <<<"${@//(^a-z0-9A-Z ~+_./@:-)/}")"
}


arg_scrubber_posix(){
    _value="${@//(^a-z0-9A-Z_.-)/}"
    _value="$(sed 's@^(-_.)@@g; s@(-_.)$@@g; s@..*@.@g; s@--*@-@g' <<<"${_value}")"
    printf '%s' "${_value::32}"
}


return_scrubbed_arg(){
    _raw_value="${1}"
    _opt_type="${2:?## Error - no option type provided to return_scrubbed_arg}"
    case "${_opt_type}" in
        'bool'*)  _value="${_TRUE}"      ;;
        'raw'*)   _value="${_raw_value}" ;;
        'path'*)  _value="$(arg_scrubber_path "${_raw_value}")"  ;;
        'posix'*) _value="$(arg_scrubber_posix "${_raw_value}")" ;;
        'print'*) _value="${_raw_value//(^(:print:))/}"          ;;
        'regex'*) _value="$(arg_scrubber_regex "${_raw_value}")" ;;
        'list'*)  _value="$(arg_scrubber_list "${_raw_value}")"  ;;
        'alpha_numeric'*) _value="$(arg_scrubber_alpha_numeric "${_raw_value}")" ;;
    esac

    if (( "${_opt_type}" =~ ^'bool'* )) || (( "${_raw_value}" == "${_value}" )); then
        printf '%s' "${_value}"
    else
        printf '## Error - return_scrubbed_arg detected differences in valuesn' >&2
        return 1
    fi
}


argument_parser(){
    local -n _arg_user_ref="${1:?# No reference to an argument list/array provided}"
    local -n _arg_accept_ref="${2:-_DEFAULT_ACCEPTABLE_ARG_LIST}"
    _args_user_list=("${_arg_user_ref(@)}")
    unset _assigned_args
    for _acceptable_args in ${_arg_accept_ref(@)}; do
        ## Take a break when user supplied argument list becomes empty
        (( "${#_args_user_list(@)}" == '0' )) && break
        ## First in listed acceptable arg is used as variable name to save value to
        ##  example, '--foo-bar fizz' would transmute into '_foo_bar=fizz'
        _opt_name="${_acceptable_args%%(:|)*}"
        _var_name="${_opt_name#*(-)}"
        _var_name="${_var_name#*(-)}"
        _var_name="_${_var_name//-/_}"
        ## Divine the type of argument allowed for this iteration of acceptable args
        case "${_acceptable_args}" in
            *':'*) _opt_type="${_acceptable_args##*(:)}" ;;
            *)     _opt_type="bool"                      ;;
        esac
        ## Set case expressions to match user arguments against and for non-bool type
        ##  what alternative case expression to match on.
        ##  example '--foo|-f' will also check for '--foo=*|-f=*'
        _arg_opt_list="${_acceptable_args%%:*}"
        _valid_opts_pattern="@(${_arg_opt_list})"
        case "${_arg_opt_list}" in
            *'|'*) _valid_opts_pattern_alt="@(${_arg_opt_list//|/=*|}=*)" ;;
            *)     _valid_opts_pattern_alt="@(${_arg_opt_list}=*)"        ;;
        esac
        ## Attempt to match up user supplied arguments with those that are valid
        for (( i = 0; i < "${#_args_user_list(@)}"; i++ )); do
            _user_opt="${_args_user_list(${i})}"
            case "${_user_opt}" in
                ${_valid_opts_pattern})     ## Parse for script-name --foo bar or --true
                    if (( "${_opt_type}" =~ ^'bool'* )); then
                        _var_value="$(return_scrubbed_arg "${_user_opt}" "${_opt_type}")"
                        _exit_status="${?}"
                    else
                        i+=1
                        _var_value="$(return_scrubbed_arg "${_args_user_list(${i})}" "${_opt_type}")"
                        _exit_status="${?}"
                        unset _args_user_list($(( i - 1 )))
                    fi
                ;;
                ${_valid_opts_pattern_alt}) ## Parse for script-name --foo=bar
                    _var_value="$(return_scrubbed_arg "${_user_opt#*=}" "${_opt_type}")"
                    _exit_status="${?}"
                ;;
                *)                          ## Parse for script-name direct_value
                    case "${_opt_type}" in
                        *'nil'|*'none')
                            _var_value="$(return_scrubbed_arg "${_user_opt}" "${_opt_type}")"
                            _exit_status="${?}"
                        ;;
                    esac
                ;;
            esac
            if ((_exit_status)); then return ${_exit_status}; fi
            ## Break on matched options after clearing temp variables and re-assigning
            ##  list (array) of user supplied arguments.
            ## Note, re-assigning is to ensure the next looping indexes correctly
            ##  and is designed to require less work on each iteration
            if ( -n "${_var_value}" ); then
                declare -g "${_var_name}=${_var_value}"
                declare -ag "_assigned_args+=('${_opt_name}="${_var_value}"')"
                unset _user_opt
                unset _var_value
                unset _args_user_list(${i})
                unset _exit_status
                _args_user_list=("${_args_user_list(@)}")
                break
            fi
        done
        unset _opt_type
        unset _opt_name
        unset _var_name
    done
}

Note, the source code for argument-parser.sh is a Git Submodule maintained on GitHub at bash-utilities/argument-parser, and can be cloned individually via…

mkdir -vp ~/git/hub/bash-utilities
cd ~/git/hub/bash-utilities

git clone git@github.com:bash-utilities/argument-parser.git

shared_functions/modules/trap-failure/failure.sh

#!/usr/bin/env bash


# Bash Trap Failure, a submodule for other Bash scripts tracked by Git
# Copyright (C) 2019  S0AndS0
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU Affero General Public License as published
# by the Free Software Foundation; version 3 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU Affero General Public License for more details.
#
# You should have received a copy of the GNU Affero General Public License
# along with this program.  If not, see <https://www.gnu.org/licenses/>.


## Outputs Front-Mater formatted failures for functions not returning 0
## Use the following line after sourcing this file to set failure trap
##    trap 'failure "LINENO" "BASH_LINENO" "${BASH_COMMAND}" "${?}"' ERR
failure(){
    local -n _lineno="${1:-LINENO}"
    local -n _bash_lineno="${2:-BASH_LINENO}"
    local _last_command="${3:-${BASH_COMMAND}}"
    local _code="${4:-0}"

    ## Workaround for read EOF combo tripping traps
    ((_code)) || {
      return "${_code}"
    }

    local _last_command_height="$(wc -l <<<"${_last_command}")"

    local -a _output_array=()
    _output_array+=(
        '---'
        "lines_history: (${_lineno} ${_bash_lineno(*)})"
        "function_trace: (${FUNCNAME(*)})"
        "exit_code: ${_code}"
    )

    (( "${#BASH_SOURCE(@)}" -gt '1' )) && {
        _output_array+=('source_trace:')
        for _item in "${BASH_SOURCE(@)}"; do
            _output_array+=("  - ${_item}")
        done
    } || {
        _output_array+=("source_trace: (${BASH_SOURCE(*)})")
    }

    (( "${_last_command_height}" -gt '1' )) && {
        _output_array+=(
            'last_command: ->'
            "${_last_command}"
        )
    } || {
        _output_array+=("last_command: ${_last_command}")
    }

    _output_array+=('---')
    printf '%sn' "${_output_array(@)}" >&2
    exit ${_code}
}

Note, the source code for failure.sh is a Git Submodule maintained on GitHub at bash-utilities/trap-failure, and can be cloned individually via…

mkdir -vp ~/git/hub/bash-utilities
cd ~/git/hub/bash-utilities

git clone git@github.com:bash-utilities/trap-failure.git

Using apache mina for ssh using signed ssh-rsa-cert-01 from Certification Authority

There is an existing client configured and running (SshClient) using apache mina to ssh to one of our internal jump boxes. It currently uses PEM based authentication. Due to compliance we have to switch to using internally signed certificates (internally we are using hashicorp vault as a CA). I’m unable to find any documentation regarding how to use signed certificates for ssh in apache mina to start with. Is it not supported? Will I perhaps have to use any other java ssh library?

ssh – How fast is decryption by the FIPS Series YubiKey?

From what I understand, YubiKeys decrypt data directly within themselves, so this could slow down large downloads over SFTP (made possible by SSH-enabled subkeys in your GPG keyring). This would also apply when decrypting large GPG encrypted files. Please correct me if I’m wrong.

Encryption to another person’s public key likely doesn’t occur on the device, because the public keys aren’t themselves protected secrets. When signing a file, you’re just signing a small checksum of the file, so I wouldn’t expect much of a bottleneck there either.

So, given that decryption could be a bottleneck, what is the speed of decryption (in KB/s or MB/s) for large files encrypted to a 4096 bit RSA key on a FIPS Series YubiKey? Does the YubiKey have accelerated AES hardware that does most of the lifting?

I’m also interested in decryption speeds of other models from Yubico if you know stats for any of those. Thanks!

linux – How to use reverse ssh tunnels to connect servers across private networks

I have a system of computers behind a private network A, that I would like to access from my laptop, on private network B. My goal is to be able to access a web server on port 8006, ssh into multiple devices on the network, and preferably access an smb share. I have a server on a public IP that is currently accepting a reverse ssh connection from one of my servers behind network A. At the moment, I am able to ssh into my public server and ssh into localhost on a different user and port and access one of my servers behind network A. I would really like to be able to ssh into a device on the network with only one command, instead of running multiple ssh commands on multiple devices. I have tried connecting to my public server on the port that should pass to the private network, but I am unable to connect and have to ssh into the default port of the server first then ssh into localhost on the correct port. Please ask if you need more info. If anyone can help, I really appreciate it. Thank you!

Note: I know I can use something like OpenVPN or pritunl to access the network remotely, but I would rather be able to expose different parts of the network to the internet through my public server so that I can access things from other computers without downloading a client or script to run to connect to the VPN.

ssh – Why do only some applications generate “MobaXterm X11 proxy: Unsupported authorisation protocol” error?

This question is related to How to fix “MobaXterm X11 proxy: Unsupported authorisation protocol”, but the answer there did not work for me.

I use MobaXterm to ssh from a Windows PC to a Linux PC, and I know that MobaXterm has a X11 server which allows GUI applications spawned in the Linux environment to appear in the Windows environment (sorry if my terminology is clunky).

I want to run baobab because I want to analyze disk space hogs. I guess I need to run sudo baobab because otherwise baobab reports permission errors and isn’t useful.

Problem/question: if I run baobab the gui appears, but if I run sudo baobab, I get this error:

$ sudo baobab
(sudo) password for user:
MobaXterm X11 proxy: Unsupported authorisation protocol
Unable to init server: Could not connect: Connection refused

(baobab:219372): Gtk-WARNING **: 13:54:54.003: cannot open display: localhost:10.0

I get the same result with firefox vs sudo firefox.

What is the problem, and how do I work around it?

I’ve already tried the xauth add suggestion at the linked post. Display port 10 was already listed to begin with, but I added a new entry anyway, and it didn’t make any difference:

$ xauth list
linxbox/unix:1  MIT-MAGIC-COOKIE-1  090ae067d5c16d139a64536f9c5d758e
linxbox/unix:2  MIT-MAGIC-COOKIE-1  3e67e02956713af7560d0ecb34e159b4
linxbox/unix:12  MIT-MAGIC-COOKIE-1  473351e10715668bf13345d24835671f
linxbox/unix:11  MIT-MAGIC-COOKIE-1  5f005e7a67371788e58f9a605132a3cf
linxbox.company.com:1  MIT-MAGIC-COOKIE-1  090ae02bd5676d099134536f9c5d758e
linxbox/unix:10  MIT-MAGIC-COOKIE-1  988522a45f0b77bf4567ceb132f4e0d8